What are spoofing and phishing?
Almost all large organizations have to deal with spoofing and phishing attacks. Spoofing is the practice of making an email not from a given domain appear as if it came from that domain. Phishing is the practice of sending emails disguised to look legitimate but which actually extract personal data from the target. Phishing attacks will frequently use email spoofing as a way to make their messages look more legitimate - and therefore more effective.
Consider the following situation: Bob, a finance employee at Acme Co, receives a message from Alice at Acme Co telling him an invoice needs to be paid immediately, and to click on a link to pay it. It looks strange, so Bob checks who the message is from. Gmail shows the message is from firstname.lastname@example.org. The message must be from Alice, right? Wrong - it's an attacker trying to steal personal information from Bob and Acme Co.
Without the proper protections in place on your domain, it's trivial to "spoof" a message and make it look like it came from a legitimate user of your organization. Some more sophisticated spammers will even try to copy company email styles in their phishing messages. While it's impossible to completely eradicate this threat, there's several steps both administrators and users can take to protect themselves from phishing attacks.
What can I do to prevent spoofing and phishing?
Administrators can take three major steps to securing the inboxes of their users against spoofing attacks:
This list is numbered for a reason - these steps have to be done in order. DMARC builds on DKIM, which builds on SPF - each adds an additional layer of security and protection against spoofing attacks. None of these steps require any additional licensing or payment. If you're a client and need help setting up any of these steps, please contact us and we can provide more information.
Not all phishing attacks will use spoofing - some will send email from regular email accounts, including consumer Gmail accounts. Because these messages - fraudulent as they are - are coming from Google, and identify themselves as coming from a regular Gmail account, they pass SPF, DKIM, and DMARC.
The best defense against this basic type of phishing attack is user education and reporting it as phishing in Gmail. Google scans outgoing messages' content for spam and phishing attacks but it can never be perfect, and malicious scammers constantly look for ways to get around these security measures.
What about my users?
For information to give to end users on avoiding phishing attacks, please see our article for users on how to spot dangerous emails and websites.
Some companies will also intentionally send out phishing emails to users as an educational exercise for their employees. These can help raise awareness of phishing attacks among employees and help educate people on how to avoid phishing attacks. Be careful, however, as Google will mark emails that looks like phishing as phishing emails - you may need to configure your environment so your safe test phish goes through without errors.
What about 3rd-party security gateways or appliances?
There are countless 3rd-party spam and phishing systems that promise to help prevent spam, phishing, malware, and other email-based attacks. They differ wildly in their operational methods and costs. Many large organizations use these appliances, but please consider performing the free three steps above before considering purchasing an appliance.
For more great security information from Google, check out Google's recommendations for G Suite Security Best Practices here.